SNI, or Server Name Indication is an extension to the Transport Layer Security suite of Internet protocols. It’s going to be an important part of Internet infrastructure for at least the next few years, as the global pool of IPv4 addresses runs out, but only a handful of percent of users have access to IPv6 networks.
Even before IPv4 was running critically low on address space, it was very common practice in web hosting to put more than one website on a single IP address. Typically these websites were shared by a single customer, or for people practicing ‘shared hosting‘, that IP could be shared by several unrelated web sites.
The reason that this works is that when the web browser connects to the web server, it sends over a “Host” header, which identifies which site it would like to connect to. This has been the case since the mid-90’s and clients which don’t send “Host” headers are basically extinct. The protocol that powers this is called “HTTP 1.0“.
A single IP address could be enough for a small web agency or freelancer to provide a web presence for all of their customers, as long as they didn’t need SSL.
SSL (Secure Sockets Layer) is the precursor to TLS, and the two terms are often used interchangably (though they are not identical). It can be thought of as the technology that makes credit card payments and the secure transfer of data on the Internet safe, and it’s the main thing that contributes to the lock icon appearing in your browsers address or status bar.
Unfortunately for web hosting companies, SSL operates at a layer above HTTP.
As soon as a client has connected to a secure web server, but before sending the “Host” header, the server has to prove its identity to the client. It does this by sending over a certificate which includes its “distinguished name” – basically the domain part of the URL, such as
If example.com and test.com were both hosted on the same IP, then all secure connections would receive the certificate for one of the sites- visitors to test.com will get an ugly error message from their web browser saying that the identity of the site they are connecting to can not be trusted.
Until recently, the only option for web companies has been to give each and every customer requiring SSL their own IP address.
This has been a looming problem for some time, but many Internet engineers expected that it would be mitigated by the uptake of IPv6. Despite efforts like World IPv6 Day, that uptake has nothappened, and a different solution is required.
That solution is SNI.
SNI works with a simple tweak to the way that negotiation between the client and the server happens: when the client first connects, it tells the server which domain it was expecting a certificate for.
With that information, the server can send the correct certificate back to the client every time, avoiding any broken trust messages or a red address bar, and still ensuring that the site is just as secure as it would have been if SNI wasn’t used.
SNI isn’t future technology either. It’s widely deployed and in use by most supported web browsers. All modern versions of Chrome, Safari, Firefox, Opera and their mobile equivalents support it. There are unfortunately a small number of clients which do not:
The good news is that these clients can still connect to the sites which make use of virtual hosting and SNI, but they will be presented with a dialog saying that the certificate presented by the web server doesn’t match what their browser was expecting. They will receive the same level of security as other users, but may be put off by the security message.
Some people will always need to support very old browsers or a client base which can’t upgrade (like most of the public sector), and for those people, using up limited IPs is likely to be the only option that doesn’t involve a compromise.
Forecasts vary, but Windows XP is believed to hold between 13% and 33% of the Windows market. That said, even XP users can use SNI if they are using Mozilla’s Firefox or Google’s Chrome browser.
This is likely to become more difficult and expensive over time, as ISPs start to run short on available space. Hopefully, with Windows XP finally running out of the last level of Microsoft support in April 2014, these legacy operating systems will finally start to be upgraded and the increase in market share of SNI capable browsers will out-pace the exhaustion of the remaining IP address pools.